how to generate .p12 file in Luna HSM

Question

my company has bought an HSM and we will generate the key pair and csr inside there and then pass the csr to a CA, upon receiving the .cer from CA, we need to give the .p12 to user. Is this arrangment possible? Because I heard that the HSM does not allow export anything out. How to do this in Luna HSM?

Answer 1

If you need your CA for ~20 years, it is good practice to have a backup of the key outside of the HSM and lock the backup in a safe (this is not as simple as it sounds though, plan carefully). The key is then imported into the HSM (with cmu importkey, and certificate with cmu import). If your key is generated inside the HSM, it will only unlock in a similar HSM from the same vendor, but your vendor may not exist or may not build compatible HSMs ten years from now. I have a backup in a safe and two identically configured Luna HSMs (plus two older nCiphers).

I'd generate random numbers with the HSM (into a file), go offline (like where you operate your root), generate key pair and CSR, sign the CSR with the root, create the backup, and import key pair and certificate into HSM.

Answer 2

As per the Luna documentation, the following will create a request on the HSM (you will need to tweak the options:

cmu requestCert -publichandle=6 –privatehandle=7 -C=CA -L=Ottawa -O="Rainbow-Chrysalis" -CN="Test Certificate" -outputFile=testCert.req

However, you say you are going to export this as a PKCS#12 file to give to the user. That begs the question of why you are using a HSM in the first place. The idea behind a HSM is that it protects your private key. If you are exporting it in a PKCS#12 file, it defeats the object; and you might as well generate the private key and certificate request in software.